Eugene Panferov

Interview With Eugene Panferov

Email interview held on 9th September 2017 – as follows between Alan Radley (questioner) and Eugene Panferov (relator):

It is my pleasure to answer your questions that may require a whole book or two for an answer. I take it as an intellectual challenge of conciseness.

1. What are your thoughts on the current state of cybersecurity …
What are the reasons behind the many security breaches/failures
that we see today?

I am glad to see these two questions being conjuncted.
Indeed, whichever I try to answer I will answer another.

The current state of cybersecurity is grave.

The many problems we are trying to solve with computer software do not belong to the computer realm at all. Most infosec issues are rooted deeply in the human software and hardware, while humans are out of the scope. We are looking for solutions in the realm of our expertise, not the realm of a problem we are facing!

Some other problems are pure malevolence, and we ignore them altogether because WE ARE AFRAID TO SPEAK UP against the market giants — they ARE giants after all and they harnessed both the market forces and the governments to the point where the free market no longer exists. But in the end of the day it comes down full circle to the human psychology.

I must clarify on the distinction between “a problem” and “an issue”. An issue is an observable failure of any sort with some negative impact, it may entail a problem: “we need to resolve this issue” — A problem on the other hand is a wider term, anything that requires a solution, problem is not necessarily an issue (no negative impact) it might be: “we need to create something”.

Sometimes infosec experts dabble into users’ psychology, but very superficially, and only in application to “those pesky users”, as if it is a factor to their issues whereas it is THE PRIME MOVER of all infosec failures, not only users’ failures. A huge mistake on so many levels! I am not referring to the infamous “human factor” (we can set aside for now all those cases: “a hacker called a techsupport and convinced them he is a legit user”), I am talking about software bugs, software design mistakes — they all originated from a human brain and they reflect the brain’s bugs which are never examined.

We are systematically fail to address the systemic cause of the infosec issues — bugs in human brain. We unanimously and fully rely on the “common sense” of… ourselves. Yes, ourselves! Not the users, not even the developers — nothing less than all of us together. We treat infosec too much intuitively at every corner, and we expect others to exercise the same intuition… THE INTUITION WE DO NOT POSSESS.

Your brain is not designed, it is evolved. It is evolved in the complete absence of computers to solve problems that have nothing to do with computers, infosec, maths, logic, etc. What else than arrogance makes you think that you can FEEL a right solution to a problem that constituted no selective pressure for your ancestors — not even a single generation! And this arrogance I mentioned is the natural way how we feel about our mental faculties, each and every man does, and it also factors into the problem in question.

Trashing the intuition is a huge problem, perhaps the biggest and the most important.

People make assumptions about everything. People make assumptions that feel natural for them. These assumptions are always mind-blowingly wrong when applied to any software, because software does not obey physical laws, which are the implied (hardcoded in the brains) basis of the assumptions people make. People evolved a tool to operate in the physical world, they apply this tool to the non-physical world — it fails like a prayer! — people continue to use it, because they did not evolve any critical perception of the only reasoning tool they are having for the recent 10^5 years.

People do not question themselves, their motivations, their reactions, their persuasions. Whereas infosec requires ordinary people to question very basics of their reasoning: how do you know? what do you accept as a proof? WHY? — Whole my life I was ARROGANTLY (see above) convinced that all people regularly ask these questions, it FEELS NATURAL (see above) to me — Oh! Lord Almighty! how terribly I was wrong! I am your cautionary tale: I projected my intuition onto people I was criticizing for projecting their intuition onto other people and software. It is not always true to assume that other people share your intuition, let alone software, yet we always do it. Great Shame.

People project their expectations onto software. For the most part it works with other animals — you know what to expect when you are poking a bear or a human with a stick — it never works with software. NEVER. But, I am afraid, I repeat myself.

People disregard simple basic things. These things constitute the core of infosec. It is impossible to make a man think on the most important aspects of the infosec realm. What IS a password? What do you mean “MY” password? — Don’t be silly! it’s obvious! — Great, make it obvious for me — [crickets chirping]. The simplest things are the most important in science, because they constitute the foundation, the utmost necessity of any reasoning, and at the same time these foundational things are the least important for human mind, because they are seemingly trivial, and the colloquial language often fails to express them…

People overlook things that are not a part of common parlance. Human mind values speech above scientific facts. Infosec apparently belongs to this unspoken realm, therefore it does not exist. No, I am not talking about popularization of infosec, but the ability of human language to grasp the problems of infosec. For ordinary people (infosec experts included) if we can not express a problem verbally we do not see it. Sometimes mathematically minded people manage to draw an accurate diagram, but in the end of the day they are ignored. Out of speech out of mind.

People value, adore, revere complexity. Complexity kills security right from the start. People are willing to pay for complexity however unnecessary — the more the better — complexity itself is seen as a desirable quality, as an indication of great labour, great thought, diligence and care. Nobody will pay you for a simple secure solution if a complex solution is available and properly named: “defender”, “protector”, “savior” (see also: Russell Conjugation). Even those few really effective and simple solutions that have any success on the infosec market PRETEND TO BE INTRICATELY COMPLEX — a trivial windows tweaker has at least 3 tiers of modal windows in its user interface and absolutely necessarily a progress bar, or better still two of them.

People value tangible things. Whereas infosec is a state and a property… of an intangible object, not even the object itself. People expect the “security” to be an item. When and if a man pays for something he expects to ACQUIRE it, if not physically take it in his hands, at least shove it into his computer’s memory. Which is rarely the case in the cybersecurity realm — for better security you have to remove much more stuff from you computer rather than add anything. However, if I remove a malevolent program from your computer you are not compelled to pay me — I did not give you anything for your money, I took from you! — you rather feel like demanding payment from me. We do not sell people an act of removing something, we sell them a REMOVER PROGRAM that takes a lengthy installation in order to make them feel the purchase. This issue is not as trivial as you may think, it is sufficiently deep to affect the entirety of the infosec language! We say “close a TCP port” whereas in fact we do NOT close it, we CEASE keeping it open — an open port requires an active action on the victim’s part, a closed port IS PURE INACTION — but, again, we can not sell inaction, despite the inaction is what we need for security in 9 cases out of 10.

These are the foundation upon which the three pillars of InfoSec Market stand: False Nomination, False Attribution, False Entitification.

Yes, the infosec market is based on and consists of pure falsehoods.
But this is a topic for another discussion. Hopefully, I explained what makes the cybersecurity a difficult field of study (and therefore enables an entire market of falsehoods).

3. Where do you go to find your “science” of cybersecurity?

I don’t.
Cybersecurity finds me and gives me headache.

4. Do you recommend a particular cybersecurity blog > that our readers could follow?

of course I recommend ithipster.com
it is not dedicated to cybersecurity exclusively, but it happen to contain a lot of it, at least 3/4 of the articles are overtly related to cybersecurity. Coincidence? 🙂

5. What keeps you up at night in the context of the cyber environment that the world finds itself in?

Not literally “up at night”, but a huge dose of pessimism…
Humanity is approx 10^5 years old, medicine and criminology are about 100 years old. It took almost 10^5 years for the humanity to understand the very basic aspects of human life and formulate an appropriate science. Mathematics is 5000 years old, mathlogic is merely 50 years old. It took almost 5000 years for people to formulate the foundations of the mental tool they are using every day. Computers are 50 years old. Infosec digs deep into the foundation of computer “science”. We are to expect a proper computer science in the nearest 5000 years.

—

Thank you kindly Eugene Panferov for taking the time (and energy) out of what must be a very busy schedule to answer our questions in such a philosophical/enlightening way.

—

Interviewee: Eugene Panferov,

An Independent Thinker.

—

Eugene Panferov – Biography

Eugene Panferov has over 18 years of experience in software industry in various roles (practicing multiple languages and paradigms). Eugene has contributed to quite a few successful projects.

Eugene is devoted to UNIX-principles, and he always try to keep things simple, shorten the processing chain, and restrict dependencies to the bare minimum. Eugene always begins with a formal model of a problem, and carefully document my design decisions.

Eugene’s motto is: “It is easy to complicate and difficult to simplify”.

Eugene has a master’s degree in Applied Mathematics.
Eugene is interested in Functional Programming, and is currently learning Ocaml.
Eugene contributes to the Open Source society.
Eugene writes research papers on Computer Science

A VIRTUAL COMMUNITY OF CYBERSECURITY PRACTICE

Founding, building, and nurturing a Cybersecurity Science for everyone. We are a one-stop-shop for learning from—and contributing to—the latest findings and new scientific thinking emerging from the computer security community.

We extend a warm welcome to you, and an open invitation to get involved; no matter what your expertise level; and do contribute ideas, thoughts and experiences for the benefit of all.

SCIENCE OF CYBERSECURITY FRAMEWORK

In order to establish a logically coherent statement of basic theory, and to enable orderly progression of the same; we hereby define the Science Of Cybersecurity Framework (SCF).

Whereby, the SCF comprises all of the fundamental Cybersecurity axioms, principles, concepts, events and processes etc. The upshot is a complete characterisation of the entire subject matter of Information Security.

The purpose of the SCF is not to list, in an exhaustive fashion, every possible instance of a Cybersecurity failure/vulnerability and/or protective measure; but rather to define all of the logical elements that could possibly comprise the same. In other words, the SCF seeks to identify all of the universals of Cybersecurity, in the belief that any particulars will naturally follow.

WE NEED YOU!

Obviously development of a new science—is not the job of one person alone; but rather science can only arise, evolve and progress through consensus; and by the power of multiple brains.

Consequently, we invite members of the Cybersecurity community to get involved and contribute to this effort.

The Science of Cybersecurity – by Alan Radley (2017). Free digital edition is here, and the printed edition is on Amazon here.

Sample Reviews

Excellent read! Succinct and accurate on a subject that normally wanders into tangential discussions confusing and diffusing the goal… Radley breaks down today’s hottest topic in a way that provides reference to students as well as guidance to the more learned… I found it spot on and a fine addition to the body of work on cyber-security but specifically to the discussion of privacy within communications… I see this as a reference document for students studying cyber security as well as an excellent read for CTOs, CSOs, CISOs, and CEOs laboring over how to analyze their needs for increased security… allows you to hit the highlights or dive deeper into the subject with your many charts, diagrams, and glossary of terms.

Will no doubt be recognized as one of the seminal works on security, establishing definitions and clarity where others have dealt with assumptions… it is not very often that one is exposed to a work that is truly ground breaking in a field, but this is one of those works. Rather than expounding on the implementation of security as many do, Dr. Alan Radley astutely asks (and then suggests an answer for) the rather naive, yet deceptively complex question “What is security?”, or more precisely “How does one characterize a communication system for secure data transfer?” As Dr. Radley examines this question, the reader becomes aware that the answer is much more elusive than one first assumes.

As Dr. Radley builds a working compendium of definitions needed to examine the issue, the reader becomes more and more aware that the current vernacular is insufficient for discussing secure communication at a philosophical level, and if we cannot agree on what it means to be secure or private in thought, how can we accomplish it in act? It is here, laying the foundation of formal definition of socially secure communication, that Dr. Radley’s work is groundbreaking and will no doubt be referenced by many works to come.

As cyber education evolves to meet the pace of change in our digital world so does the need for good reference books.. a timely and spot on publication that I shall be recommending to my students; well done Dr Radley.

Professor Richard Benham – National Cyber Skills Centre, UK.

An excellent read and would definitely recommend this to our AISA members as a way to get a different perspective on security.

In a world full of privacy breaches, Radley timely develops a framework that delves into complexity of technical and human-centric factors that affect our perception of privacy and cybersecurity. I recommend this book to everyone who is interested in making our cyber world more secure.

Vitali Kremez (6/2/2016) – CyberCrime Investigative Analyst.

The book provides the reader with an accurate and objective view of the life-cycle of the exposures and vulnerabilities which are associated with the technological shadow cast over all individuals, and organisations. This is a unique piece of work… an excellent read, and deserves a place on every security professional’s bookshelf who is seeking a balanced and objective view of the current, and futuristic Cyber Security Landscape.

Professor John Walker – Nottingham Trent University.

Alan Radley makes sense of the complexities which ordinarily restrict this topic to IT people only… required reading for anyone focused on secure and private communication… What’s more, Alan’s no-nonsense approach and fearless honesty, is refreshing. I recommend this to those interested in making certain that their communication is more private, secure and resilient.

Bill Montgomery – CEO – Connect In Private.

A brilliant book! Did it make me wiser? Yes…

Pantazis Kourtis – Member of the Board of Directors at London Chapter at ISACA.

I commend this book to a wide readership. Well done Sir, more please.

Tony Collings OBE -Chairman – The ECA Group.

A very concise body of work, that belies its length for the practical application of useful data in a highly complex area… should be required reading for anyone providing third party services whereby their security claims cannot be held up without transparency. Ignore this work at your peril.

Christian Rogan – Vice President, Royal Holloway Enterprise Centre.

I highly recommend this book for individuals interested in understanding the challenges facing the security and information assurance specialist. Dr. Radley’s direct approach provides an excellent read and can enable valuable insights into an extremely complex topic such as security.

What Kind Of A Science Is Cybersecurity?

Cybersecurity is impossible to develop as a logical subject of study—without first establishing an observational science that identifies what we are dealing with in the first place.

Ergo, we become able to know what kinds of phenomena to look for, measure, model and control. Thus we define a set of Absolute Security metrics—and accordingly fully prescribe the various classes/types of Cybersecurity vulnerabilities—plus evolve truly effective countermeasures… >>

Avoid Hacking And data-Breaches With KeyMail

‘Cloud’ copies are highly vulnerable to hacking; largely because they will be around for a very long time—possibly forever—and as a result may be subject to innumerable future hacking attacks.

For Absolute Security in interpersonal communications, the KeyMail file-transfer protocol eliminates ‘cloud’ copies altogether; whereby client data transfers directly between devices. We call this Single-Copy-Send—and the upshot is that there are no vulnerable ‘third-party’ copies to attack, and hence no hacking risks… >>